CLAIMS 

WHAT IS CLAIMED IS: 

,1. A machine-executable method for executing a trusted command 
issued by a user, said method comprising the steps of: 

(a) parsing the trusted command in an untrusted computing 
environment to generate a parsed command; 

(b) submitting the parsed command to a trusted computing 
environment; and 

(c) executing the parsed command in the trusted computing 
environment. 



2. A method including the steps of claim 1 and additionally including 
the steps, executed after step.(b) of claim 1, of: 

(1) in the trusted environment^ displaying a representation of 
the parsed command to the user; 
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y(2) receiving a signal from the user signifying whether the 
displayed representation accurately represents the user's 
intentions; 

(3) Hf the signal signifies that the displayed representation does 
not accurately represent the user's intentions, then 
presenting the performance of step (c) of claim 1. 



The method of claim 2 wherein the representation of the parsed 
command is displayed, and the signal from the user is received, 
through a trusted path. 



The method of claim 1 wherein the trusted computing 
environment comprises a security kernel. 



The method of claim 1 wherein the Vnttusteo' computing 
environment comprises a general operating system. 



A method for executing in a computing system a trusted command 
issued by a user, said method comprising the steps of: 



receiving user identification data from the user via a 
trusted path; 




iving the trusted command from the user via an 
untru$tea path; 

(c) parsing tm trusted command in an untrusted computing 
environment\tc/ generate a parsed command; 



(d) submitting lhe y 
environment; 



/command to a trusted computing 



(e) in the trusted computing environment, performing a security 
check on the parsed command and user identification data; 
and 



(f) in the trusted computing environment, executing the trusted 
command 
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le method of claim 6, wherein the security check enforces an 
Orafage Book security criterion. 



A method inc\uding the steps of claim 6 and additionally including 
the steps, execu\ed after step (d) and before step (f) of claim 6, 
of: 

(1) in the trusted environment, displaying a 
representation of Jhe parsed command to the user; 

(2) receiving a IJgnal from the user signifying whether 
the displayed \epresentation accurately represents the 
trusted commarld; and 

(3) if the signal signifies that the displayed 
representation does mot accurately represent the 
trusted command, then preventing the performance 
of step (f) of claim 6. 
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9.\ A method including the steps of claim 6 and additionally including 
the steps, executed after step (d) and before step (f) of claim .6, 

V: 

(1) in the trusted environment, displaying a 
representation of the parsed command to a second 
user; 

(2) \ receiving a signal from the second user signifying 
Whether the displayed representation accurately 
reflrese^nts a legitimate command; and 

(3) if the' ^gnal signifies that the displayed 
representation does not accurately represent a 
legitimate \ommand, then preventing the 
perfonnance\>f step (0 of 



10. A method for ensuring the existence of a trusted path in a 
computing system comprising the steps of: 
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(a) \ in a trusted computing environment, upon login by a user, 
assigning a process identifier to the user in the trusted 
:bmputing environment; 

(b) storing the assigned process identifier in trusted memory; 

(c) establishing a trusted path; 

(d) in the trus\ed path, displaying the process identifier to the 
user; and 

(e) upon a subsequent entry into the trusted path, displaying 
the process identifier to /the user. 



11. The method of claim 10 wherem the process identifier is a 

randomly or pseudo-randomly generated group of alphanumeric 
characters. 



12. The method of claim 11 wherein the process identifier is 
pronounceable. 
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13. M automatic data processing machine programmed to execute the 
method of any one of claims 1 to 12. 



14. 



15. 



An automatic^ data processing machine comprising means for 
performing the Nmethod steps of any one of claims 1 to 12. 



A program storage devicfe readable by a machine and tangibly 
embodying a representation, of a program of instructions adaptable 
to be executed by said machine to perform the method of any 
one of claims 1 to 12. 
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Apparatus for executing a trusted command that is issued by a 
user and that is parsed by untrusted parsing means to generate a 
sed command, comprising: 

(a) \rusted means for receiving the parsed command; and 



(b) trusted means for executing the parsed command. 



Apparatus for con{r^rJiiig^he execution by a machine of a trusted 
command that is issued\y a user and that is parsed by untrusted 
parsing means to generate^ parsed command, comprising: 

(a) trusted-program storage Vans, readable by the machine, 
for causing the machine toVeceive the parsed command 
from the untrusted parsing means; and 



(b) trusted-program storage means, readable by the machine, 
for causing the machine to execute the parsed command. 
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Apparatus for controlling the execution by a machine of a trusted- 
command that is issued by a user with user identification data and 

at is parsed by untrusted parsing means to generate a parsed 
conunand, comprising: 

(a) tWed program storage means, readable by the machine, 
forNcausing the machine to receive the user identification 
data from the user; 

(b) trusted program storage means, readable by the machine, 
for causmg V/ma^bine to receive the parsed command 
from the untr^tej parsing means; 

(c) trusted program storage means, readable by the machine, 
for causing the machine to perform a security check on the 
parsed command and aycurity check on the user 
identification data; and 

(d) trusted program storage means, readable by the machine, 
for causing the machine to exeW the trusted command. 
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1 19. \Apparatus as in claim 18 and additionally comprising: — 

2 \ 

3 (1)\ trusted program storage means, readable by the machine, 

4 Vor causing the machine to display a representation of the 

5 parsed command to the user; 

\ 

7 (2) trusted\program storage means, readable by the machine, 

8 for causing the machine to receive a signal from the user 

9 signifying Whether the displayed representation accurately 
10 represents the. trusted command; and 

12 (3) trusted program / stprage means, readable by the machine, 

13 for preventing the machine from executing the trusted 

14 command if the signaKsignifies that the parsed command 

15 does not accurately represent the trusted command. 

16 \ 

17 20. Apparatus as in claim 18 and additionally comprising: 

18 \ 

19 (1) trusted program storage means, readable by the machine, 

20 for causing the machine to displayva representation of the 

21 parsed command to a second user; \ 

22 \ 

23 (2) trusted program storage means, readableNby the machine, 

24 for causing the machine to receive a signal\from the second 
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user signifying whether the displayed representation 
^curately represents a legitimate command; and 



trusted p/omlm stbrage means, readable by the machine, 
for prev^jM^Sg^tne machine from executing the trusted 
command if the signal signifies that the parsed command 
does not accurately represent a legitimate command. 
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